diff options
author | Behdad Esfahbod <behdad@gnome.org> | 2006-05-01 14:45:56 +0000 |
---|---|---|
committer | Behdad Esfahbod <behdad@src.gnome.org> | 2006-05-01 14:45:56 +0000 |
commit | 0a7f8d6fb481d2bd502b5f376a0dcef6f82ee0ff (patch) | |
tree | b61502955b33de7ed450953e98926c50611bded4 | |
parent | 29b48d2171562fb43b3c9ffc86e1904aff462d86 (diff) | |
download | pango-0a7f8d6fb481d2bd502b5f376a0dcef6f82ee0ff.tar.gz |
Bug 340229 – pango_font_description_from_string does not do bound
2006-05-01 Behdad Esfahbod <behdad@gnome.org>
Bug 340229 – pango_font_description_from_string does not do bound
checking
* pango/fonts.c (pango_font_description_set_size),
(pango_font_description_set_absolute_size), (parse_size):
* pango/pango-markup.c (span_parse_func): Don't accept negative font
sizes, and make sure sizes don't overflow.
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | pango/fonts.c | 4 | ||||
-rw-r--r-- | pango/pango-markup.c | 2 |
3 files changed, 14 insertions, 2 deletions
@@ -1,3 +1,13 @@ +2006-05-01 Behdad Esfahbod <behdad@gnome.org> + + Bug 340229 – pango_font_description_from_string does not do bound + checking + + * pango/fonts.c (pango_font_description_set_size), + (pango_font_description_set_absolute_size), (parse_size): + * pango/pango-markup.c (span_parse_func): Don't accept negative font + sizes, and make sure sizes don't overflow. + 2006-04-29 Behdad Esfahbod <behdad@gnome.org> * configure.in: Require cairo >= 1.1.2. Also pass -no-undefined on all diff --git a/pango/fonts.c b/pango/fonts.c index 59da712a..83cc05d9 100644 --- a/pango/fonts.c +++ b/pango/fonts.c @@ -348,6 +348,7 @@ pango_font_description_set_size (PangoFontDescription *desc, gint size) { g_return_if_fail (desc != NULL); + g_return_if_fail (size >= 0); desc->size = size; desc->size_is_absolute = FALSE; @@ -392,6 +393,7 @@ pango_font_description_set_absolute_size (PangoFontDescription *desc, double size) { g_return_if_fail (desc != NULL); + g_return_if_fail (size >= 0); desc->size = size; desc->size_is_absolute = TRUE; @@ -849,7 +851,7 @@ parse_size (const char *word, char *end; double size = g_ascii_strtod (word, &end); - if ((size_t)(end - word) == wordlen) /* word is a valid float */ + if ((size_t)(end - word) == wordlen && size >= 0 && size <= 1000000) /* word is a valid float */ { if (pango_size) *pango_size = (int)(size * PANGO_SCALE + 0.5); diff --git a/pango/pango-markup.c b/pango/pango-markup.c index 5a5b67e0..afe8a933 100644 --- a/pango/pango-markup.c +++ b/pango/pango-markup.c @@ -997,7 +997,7 @@ span_parse_func (MarkupData *md, n = strtoul (size, &end, 10); - if (*end != '\0') + if (*end != '\0' || n < 0 || n > 1000000) { g_set_error (error, G_MARKUP_ERROR, |